If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Anyone else observing change in "explorer.exe" settings in HKLM

I'm dealing with a "probable" infection affecting 2 large network segments with around 4000 odd machines. Our firewalls and IPS show no major activity in last 2 weeks. I went through VM copies of machines currently deployed but I've found nothing. I'm to an extent convinced that this is not due to infection, however there is one thing which has changed on ALL the machines (when i say all - around 400 machines where load load point analysis was done are being considered.)

Registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" is set to "". but it should be "explorer.exe".

Is anyone else noticing the same in their environment? Ill check with my counterparts in different group companies today morning (4 AM here) but i wanted to see if anyone else is going through a network clog and is seeing this same registry change.

Sorry for the delay in replying, but time zones, sleep and ............the usual suspects?

I have looked at my home setup and two small clients'.............no sign of this here. I seem to recall that you could make this adjustment so that if "" was detected it then opened a new shell specific to a user or possibly user group? You had to define this somewhere so if you search for the registry string you mentioned you will probably find the M$ article, and where to look for what the system will now do?

I seem to recall that the general idea was to cut the login time caused by loading explorer.exe and possibly stop users going where the shouldn't (albeit a Smith & Wesson is a better solution for the latter)

To be honest with you mate I don't like the looks of this?.............My first (CYA) move would be to isolate one of the machines and run a few online AV scanners against it..............then MalwareBytes and SpyBot S&D for good measure.

I would also ask myself "who within the organisation is empowered to make such changes?"

Well i slept for 14 hours straight plus maybe another 6 hours.. which i think is weird for me. Anyway all machines here are showing this. i am not sure why.. I made a VM copy of one of the machine but didnt find anything in it..

Hey sorry for the late response on the subject, Just got back in from vegas
I would look into the registry file deeper. If this was somebody trying to be clever he could have had regedit display "" via a null character in the name and thus hide what the actual registry value in the name is. I don't ever recall hearing exactly what Nihil is talking about but the article I think he is referring to is here http://msdn.microsoft.com/en-us/libr...dded.5%29.aspx

though I didn't see any indication of "" going to another value >.< Then again I am slightly rushed today.

Anywho, I suggest looking into that registry value with a program that isn't regedit, like the REG command on the command prompt, if you haven't already done so in order to see if somebody is hiding some secret path =P

Also are you on a VISTA or up windows version? If so, then you should know the HKLM is virtualized and the actual values are stored in HKCU\Softwate\Classes\VirtualStore\Machine\Software\